Pentagon Looks to Cash in on Crowdsourced Hacking

The Pentagon wants more hackers to take aim at its systems, launching another program that invites crowdsourced attacks from outside the Department of Defense (DoD) to help it identify and mitigate vulnerabilities in its networks and information systems.

The latest version of the bug bounty program, run by Defense Digital Services, will enlist hacker teams for a variety of attacks, with some lasting a week or two and others operating for a year with options to be renewed. DoD will pay cash awards for hackable vulnerabilities found across the “full range” of its networks, systems and data, including Web applications, software, source code, and software-embedded devices, according to its Sources Sought Notice.

The program, formally referred to as Crowdsourced Vulnerability Discovery and Disclosure (CVDD) services, builds on the “Hack the Pentagon” program, which was kicked off in April 2016 and has grown since. DoD tests its systems itself, but saw the advantage of having outside, white-hat hackers probe its systems in a controlled environment. And the effort has paid off, department officials say, not only in the number of vulnerabilities found and fixed, but in bang for the buck.

The initial Hack the Pentagon pilot, which ran for a little over three weeks, involved more than 1,400 hackers who identified 138 legitimate vulnerabilities, which DoD then worked with bug bounty company HackerOne to fix. Then-Secretary of Defense Ash Carter said that finding and mitigating those vulnerabilities through a traditional contracting process would have cost more than $1 million. The total cost of the pilot: $150,000.

The results from the pilot convinced DoD that crowdsourced cybersecurity was worth further investment. In October 2016, DoD awarded contracts totaling about $7 million to HackerOne and Synack to create a vehicle that DoD components could use to create their own bug bounty projects. In 2016, “Hack the Army” found 138 vulnerabilities for the price of $100,000 in bounties. In 2017, “Hack the Air Force” paid out $130,000 in awards to hackers who had uncovered 207 vulnerabilities. Last month, the Defense Travel System launched a bug bounty program to find weaknesses in its global network. Overall, Hack the Pentagon has identified and resolved more than 3,000 vulnerabilities.

Crowdsourcing has become a go-to practice for DoD in a number of areas, from using online games to accelerate the verification process for new software, to helping the Intelligence Community find more accurate methods of geopolitical forecasting, to generating innovative ideas for military operations.

Under the latest CVDD program, which will have a contract separate from the current deals with HackerOne and Synack, participants will work through a secure portal on the contractor’s platform to access both Internet-connected and closed systems, according to the solicitation. Short-term efforts–those lasting one or two weeks–are expected to have 50 to 100 researchers for operations with a smaller scope, and about 200 researchers for those with a broader focus. Long-term efforts lasting 12 months or more will crowdsource the work of 50 to 150 researchers.